David Lacey's IT Security Blogtag:www.computerweekly.com,2006-10-16:/blogs/david_lacey//752015-03-01T15:45:50ZThe latest ideas, best practices, and business issues associated with managing securityMovable Type Pro 4.361Minimising the snoopingtag:www.computerweekly.com,2015:/blogs/david_lacey//75.921072015-03-01T15:41:04Z2015-03-01T15:45:50ZDavid LaceyIt was interesting to see Tim Cook,
CEO of Apple, voicing his opinions that government and companies should not have
access to private consumer information. It's rich coming from a vendor with
access to so much of our personal information.

I don't mind security services
having access for national security purposes. It's necessary in an increasingly
dangerous world and they safeguard it well. Employees are vetted, keep their mouth shut (Snowden excepted), and there
is no evidence of data breaches or misuse after decades of interception.

If
only we could say that about vendors.

]]>
Cyber security in Britaintag:www.computerweekly.com,2015:/blogs/david_lacey//75.920582015-02-12T13:04:03Z2015-02-12T13:10:45ZDavid Lacey
Cyber security in Britain, including articles from Francis Maude, Peter Sommer and myself. (Mine's the doom and gloom "Ghosts in the Machine" piece.)]]>
Showing our true character?tag:www.computerweekly.com,2015:/blogs/david_lacey//75.920392015-02-08T17:03:04Z2015-02-08T17:10:16ZLast week GCHQ was censored over its sharing of internet surveillance data with the United States. There's no real surprise here. But what is interesting is to read it in the context of the New Statesman's feature last week about...David LaceyLast week GCHQ was censored over
its sharing of internet surveillance data with the United States. There's no real surprise here. But what is interesting is to read it in the context of the New Statesman's feature last week about growing political interest in the "Anglosphere" - a
global alliance of English speaking countries.

I am reminded of Bill Hayden's
observation from Tinker Tailor Soldier Spy "I still believe the secret services
are the only real expression of a nation's character".

]]>
If you can't beat them... tag:www.computerweekly.com,2015:/blogs/david_lacey//75.920292015-02-03T21:50:22Z2015-02-03T22:35:10ZDavid LaceyI keep reading defeatist
talk. The latest is from a chap called James Lewis, a cybersecurity expert at the Washington DC based Center for Strategic and International Studies, who has been claiming that businesses
should "stop worrying about preventing intruders getting into their computer
networks, and concentrate instead on minimising the damage they cause when they
do".

It would be a very black
day for cyber security if businesses stopped worrying about intrusions. Let's
face it the reason we have so many is because we don't try hard enough to stop
them. The attackers are fast, smart and agile, and our defences are sloppy, dumb and slow to react. The DC man is right to
point this out, but the answer is to beef them up, not let the security
managers off the hook.

Valuable intellectual
property can be safeguarded by not storing it on networks. We don't do enough of this. Intruders can be
stopped or quickly detected by state-of-the-art defences, though these are rarely
deployed effectively even in large enterprises. Admittedly, some intelligence
services have the capability to by-pass any defence, but such attacks are
selectively mounted and should not be a reason for a wholesale abandonment of confidence
in preventative measures.

The "dwell time" of a
sophisticated APT intrusion is the serious new metric, though there is no mention
of this in the international standard on this subject ISO 27004, which is perhaps where it all goes wrong. The modern CISO is bogged down in hundreds of pages of
paper nonsense which stops them applying common sense and judgement. The target
should be to reduce the dwell time from several years to less than a day.

Zero
days should be the target. But then that would be bordering on prevention...

]]>
Predictions for 2015tag:www.computerweekly.com,2015:/blogs/david_lacey//75.920072015-01-25T20:09:00Z2015-03-01T15:47:48ZThe last two years have been an eye-opener for business, governments and citizens. They should now be aware of the vulnerability of information systems to penetration by spies, hackers and criminals. But do they care? Not that much it seems,...David LaceyThe last two years have been an
eye-opener for business, governments and citizens. They should now be aware of
the vulnerability of information systems to penetration by spies, hackers and
criminals. But do they care? Not that much it seems, as they clearly continue to
trust service providers with their data.

Perhaps we might experience one
or two wake-up calls this year. Certainly we can expect that everything to do
with intellectual assets and cyber security will be bigger, faster and more
volatile, as that is the underlying nature the Information Age. At the same
time we can expect that little or nothing will get fixed or be any more secure,
as that costs money and reduces business opportunity.

So what in particular will be
waiting in the wings for cyber security professionals in 2015? Here are my personal
forecasts.

The Internet of Things will
be primary focus of this year's research, investment and hype. But there will
be no killer applications or compelling business cases. It will remain largely a
solution looking for a problem, held back by a lack of imagination, standards
and security. The idea of publishing sensor data to citizens is a daft
aspiration from a security point of view. But researchers and product
developers do not listen to security experts.

There will be no escape for
security managers from the growing treacle of regulatory compliance. Amazingly,
implementing an information security management system to ISO standards requires
as many as fifty individual pieces of documentation. But the paper overhead will
continue to increase with more competing standards and questionnaires surfacing
each year. (I've had to develop a sophisticated 4D relational database to keep
up.) Technology can help but current GRC solutions are immature, and some add
to the swamp of data to be processed. This will be the year for CISOs to invest
in more efficient enterprise solutions.

Prediction is the new, 4th
dimension for security. The theme of this year's Infosecurity Europe is "Smart
data to detect, contain and respond". But the theme is outdated: smart vendors
such as Qualys have already added "predict" to the thirty-year old "prevent, detect,
respond" paradigm. A decade of regulatory compliance treacle has relegated
prediction to the back burner. It need to bounce back. Let's all aim to reverse
this trend by pushing the focus firmly towards the future. It could be the
single most important paradigm shift of the year 2015.

Small data is the answer: We've seen increasing hype and emphasis about "big data" over the last few
years. The hype is slightly misplaced. The data does not have to be big, but it
needs to be intelligently selected and creatively combined. As Deming correctly
pointed out (though he is a bad poster boy for the Information Age), running a business
on visible figures alone is one of the seven deadly diseases of management. Today
we have numerous sources of data, within and without the enterprise. Fusing
this data will help shed visibility of risks and incidents. The data does not
have to be big. Searching out, capturing and combining small data is the real
key to predictive analytics.

The commoditisation of cyber
security: t's sad to say but many companies have been foolishly paying
outrageously high fees for security experts that are little more than standards
readers or script-kiddies armed with open-source software tools. There is a
place for the expert and there is a place for the army of trainees. Don't mix them up. Smart
companies will outsource the latter to low cost off-shore service providers.

]]>
Cyber terrorism is a step closertag:www.computerweekly.com,2014:/blogs/david_lacey//75.919552014-12-22T12:33:32Z2014-12-22T12:36:40ZBehind the escalating war of words between North Korea and the United States in the wake of the cyber attacks on Sony lies a dangerous, but inevitable trend: the beginnings of real cyber terrorism. Although we have yet to witness...David LaceyBehind the escalating war of
words between North Korea and the United States in the wake of the cyber
attacks on Sony lies a dangerous, but inevitable trend: the beginnings of real cyber
terrorism.

Although we have yet to witness
a major cyber terrorist incident, the potential for one is real, both in terms
of motivation and vulnerability. The inescapable fact is that critical national
infrastructure is vulnerable to damaging attacks and offensive techniques continue
to outstrip our ability to counter them.

Back in 1999 I forecast that
the electronic Pearl Harbour would occur around 2006-08, and was branded a doomsayer. Unfortunately, there are still many authorities in denial about the
risks. They are the elephants in the room: too damaging to contemplate and too expensive
to fix. They will not be addressed until a massive incident occurs.

]]>
Predictions for 2014tag:www.computerweekly.com,2014:/blogs/david_lacey//75.919462014-12-18T13:23:22Z2014-12-18T13:30:48ZDavid LaceyIt's the time of year when we
reflect on our progress (or failures) over the last year and anticipate the
challenges of the coming year. Last year I made half a dozen predictions for
2014. How well did I do?Let's examine
them.

Escape from monoculture

A year ago I forecast that new security
technologies would provide a greater choice of defensive options, making things
less predictable for attackers. It hasn't quite happened yet, but there are
some emerging alternatives that look promising.

A new generation of attacks

I also drew attention to the
inevitable fact that the next generation of APT attacks would be richer, more
sophisticated and stealthier. That's certainly happened, so much so that we
can't detect the latest attacks, as illustrated by the recent discovery of a
sophisticated APT attack (Regin) dating back six years.

A backlash against security standards

I also predicted a growing backlash
against security standards, which have increasingly effective. That's certainly
been a major issue this year, commencing with the FIC 2014 January opening conference
theme of "Is cyber security a failure?" Unfortunately there is no realistic alternative
for regulators to the growing mass of bureaucratic standards.

Improving strategic crisis response

On an optimistic note I forecast
that enterprises would develop improving crisis management capabilities,
correcting a long-standing weakness. I've certainly seen signs of this with the
growth in deployment of SIEM technologies and security operations centres (SOCs).

Cyber skills gap grows

I also noted the growing shortage
of high-end cyber skills, fuelled by the need to seek out a special kind of
person for key monitoring and analysis tasks. Interestingly, there are now several
proactive initiatives to employ or help find security work for dyslexic and
autistic graduates. This approach will grow.

No change at NSA

I forecast no major changes
in the operations at NSA, following Snowden. And I've yet to see any indication
of this. Large scale intelligence gathering is necessary to combat terrorism,
and that threat is growing.

Learning points

The events of 2014
demonstrated a number of inescapable truths. Fast-changing subject areas tend
to be held back by their legacy. The consequence is that they fail. Evolution
will not deliver solutions. Nothing short of a revolution will succeed. New technologies,
new skills and a new realism are needed to transform the effectiveness of cyber
security.

]]>
One day wonders tag:www.computerweekly.com,2014:/blogs/david_lacey//75.918082014-10-23T19:52:15Z2014-10-24T15:08:42ZLast week Dr Hugh Thompson of Blue Coat and RSA fame was in London. I was fortunate to find a slot with him to meet up and exchange ideas. I like Hugh because he's not like the regular, dull vendors...David LaceyLast week Dr Hugh Thompson of Blue Coat and RSA fame was in London. I was fortunate to find a slot with him to
meet up and exchange ideas. I like Hugh because he's not like the regular, dull
vendors or CSOs that churn out the accepted security mantra. And he understands
the importance of the human and political factors in achieving effective
security.

Hugh updated me on his latest
Blue Coat research on "One day wonders" i.e. websites that exist for less than a
day. It's an important landscape as a surprisingly high 71% of all web sites
exist for 24 hours or less. More worrying is the disturbing fact that these
sites attract hackers, villains and other bad people.

Of course most one-day
wonders are legitimate and exist to deliver a better user experience. Many are
organizations such as Google, Amazon and Yahoo with a substantial Internet
presence. That's why they're popular. Unfortunately there's a darker side, as
malware operators seek to generate large numbers of popular sub-domains built
on a foundation more evil domains. Sites are selected to support mass attacks
on targeted victims, attacks that are highly scalable, difficult to track and
easy to implement.

Hugh and I also had an imaginative
debate on current trends, including the Internet of Things. We both agree that
security cannot be contained within devices alone. Against a landscape of continuously
fragmenting technology (into larger networks of smaller devices), rapidly
changing platforms, and uncertain access policies, security must migrate into
the network. The challenge of course is where, when and how this will
materialise. And of course who will control it.

]]>
Security and the Internet of Thingstag:www.computerweekly.com,2014:/blogs/david_lacey//75.918072014-10-23T19:46:59Z2014-10-23T19:51:46ZWhether you like the term or not the so-called Internet of Things is generating a huge amount of interest, and a growing amount of security research, including great opportunities for forward-looking security practitioners. The label of course is simply a...David LaceyWhether you like the term or
not the so-called Internet of Things is generating a huge amount of interest,
and a growing amount of security research, including great opportunities for forward-looking
security practitioners. The label of course is simply a passing fashion. Just
like EDI or Knowledge Management it's not likely to survive for more than a year or two, though
the problem and solution spaces it occupies will continue to blossom for
decades.

So what is it exactly? And what
sort of security does it require? These are good questions that have yet to be answered
adequately. I can imagine a future world in which billions of devices interact safely
and securely. But this world is far from possible with today's technology. In
fact today's initiatives are no more than very small beginnings: a handful of private
machine-to-machine networks, a few attempts to standardise on communications protocols,
and one or two initiatives to develop a public catalogue for sensor data.

All of this falls well short
of the world imagined by the brilliant Neil Gershenfeld fifteen years ago in his
visionary book "When things start to think". Radical change is very easy to
imagine, but it's extremely hard to bring it about. There remain many tough problems
yet to be solved to realize the Internet of Things. Ones that spring to my mind
for example are the following.

Where is the bullet-proof
data ontology to enable reliable translation of critical data between systems? (I've
heard a few whispers about vocabularies under development. That's nowhere near
enough.)

How can we develop access
policies for interaction between devices when we're not quite sure where, when,
how, or by whom the data will be exploited? Security technology is worthless without
a requirements specification.

Who will control the
security and where will it sit? Will it be in devices? I think not. Will it be
in the network? I think so. But who takes control?

Who will be liable
for serious incidents arising from accidental or deliberate misuse or manipulation
of sensor information? Against a business landscape of increasing product
liability this is no trivial question.

We are clearly at a very
early stage in developing the vision for the Internet of Things. Perhaps, just
like the World-Wide-Web, it will begin as an anarchistic Wild West of experimental
but dangerous, read-only applications. And maybe it will begin to flourish for
business applications when we finally develop a security breakthrough equivalent
to the acceptance of the SSL protocol.

One thing that is certain is that
we will not achieve much progress without early casualties. So let us hope that
there are pioneers brave enough to accept or ignore the risks.

]]>
Special skills for special security problemstag:www.computerweekly.com,2014:/blogs/david_lacey//75.917282014-09-22T18:39:42Z2014-09-22T18:46:48ZI was pleased to read in the Sunday Telegraph that GCHQ values the security skills of dyslexic young people, employing over 100 dyslexic and dyspraxic neuro-diverse analysts. I fully support this idea. Unfortunately most professional development schemes fail to recognize...David LaceyI was pleased to read in the
Sunday Telegraph that GCHQ values the security skills of dyslexic young people,
employing over 100 dyslexic and dyspraxic neuro-diverse analysts. I fully
support this idea. Unfortunately most professional development schemes fail to recognize
these abilities, generally promoting dull management capabilities rather than sharp
analysis skills.

Eventually this will change,
though the transition will be slow. There are however a few catalysts. My book
"Managing the Human Factor in Information Security" hinted at these skills but failed
to lead a revolution. It was however one of the first security books to point
out the importance of cognitive skills, such as problem solving, attention to
detail, curiosity, pattern recognition, and systems thinking.

Vinod Patel, a father of two
boys with autism, has been more successful. He advocates the use of graduates
with high functioning Autism or Asperger's to look for patterns and anomalies
in big data and use their excellent memory and procedural capabilities to
remediate security threats.

He has already developed a
ready workforce of appropriately skilled practitioners, as well as a source of additional
resources through the National Autistic Society, with the support of Professor
Baron-Cohen of the Autism Research Centre at Cambridge. Vinod has found some success
in persuading security companies to exploit their talents. Just check out this remarkable video.

Isn't that a great security
story?

]]>
We need to speed up securitytag:www.computerweekly.com,2014:/blogs/david_lacey//75.916792014-09-05T19:10:09Z2014-09-05T19:14:18ZI'm finally back blogging after a delightful summer break. Surprisingly, not a lot has changed in the cyber security world. Big security breaches have been surprisingly thin on the ground. And most have resulted from predictable human failings or greed,...David LaceyI'm finally back blogging
after a delightful summer break. Surprisingly, not a lot has changed in the
cyber security world. Big security breaches have been surprisingly thin on the
ground. And most have resulted from predictable human failings or greed, rather
than technical weaknesses. There have been few recent reports of dangerous
APTs, except perhaps for an inevitable attack on Apple users, many of whom may
have naively assumed they were immune from such threats.

Anyone that understands the motives
of attackers and the vulnerability of our critical infrastructure will know
that professional attacks have not gone away. They are just much harder to
detect. There is clearly much more to come, especially given with a steeply
increasing terrorist threat.

I sense however that we are
some years from a major disaster, though I expect it will occur well before we
are able to implement effective countermeasures. That's because the most
significant failing of the security community is in responding quickly to new
threats. There are one or two exceptions of course, generally in areas where business
sets stretch targets for security developers.

The mobile world is one such
area. A few days ago I attended the excellent, annual exhibition at the Royal
Holloway University Smart Card Centre. There were some first-class
presentations, especially the talk by Dr. Klaus Vedder, a real expert in this
field, who convinced me that mobile devices are the focus of the fastest-moving
developments in cyber security. Product developers race to bring new
technologies to market in record time. And they need to be sufficiently secure
for the marketplace.

In sharp contrast the
presentations on government cryptographic development reflected a legacy of lethargy,
underpinned by outrageous demands from a bygone age. New products require a minimum,
five-year time scale, and must be designed to be secure for 20 years and to
protect data for 30 years. Such assumptions reflect an absence of business
pressure for stretch targets.

Security processes are slow
because nobody in business cares sufficiently to whip them into shape. Society should
demand better than this to safeguard our critical intellectual assets.

]]>
Meetings with remarkable security mentag:www.computerweekly.com,2014:/blogs/david_lacey//75.915002014-06-27T08:09:58Z2014-06-27T08:17:13ZThis week Doc Hugh Thompson of RSA fame was in London. We had an interesting and entertaining debate on current and future trends. Hugh is a consummate, multi-tasking professional: lecturer in Cyber Security at Columbia University; Chair of RSA Conference;...David LaceyThis week Doc Hugh Thompson
of RSA fame was in London. We had an interesting and entertaining debate on
current and future trends. Hugh is a consummate, multi-tasking professional:
lecturer in Cyber Security at Columbia University; Chair of RSA Conference; and
Chief Security Strategist at Blue Coat. He's also a larger-than-life character,
with a keen interest in technology, human behaviour, and innovation.

Blue Coat products have a
strong position in the market (80% of Fortune 500 they tell me) based on their
easy-to-deploy security appliances which have the useful feature of providing
visibility of encrypted SSL traffic. They have recently added additional
features such as sandboxing and advanced analytics to combat APT threats,
making them a good choice for an enterprise security gateway.

Not surprising we talked
about encryption. Default encryption has been suggested as the best way to protect
web users' privacy online, and it's on the increase as more and more
organizations switch from http to https. Hugh tells me that around 25% of
incoming business traffic is now encrypted. However, this trend presents a
major problem for enterprises, as it also enables attackers to hide their communications.
Security demands the ability to read traffic. Encryption creates as many
problems as it solves. In my view it will not succeed. The future is more
likely to be a hyper-connected world in which no information is secure.

Information sharing is
another hot issue we discussed. I take the view that it's simply not viable as
legal, compliance, and political considerations discourage any release of
sensitive information to third parties. Governments can't easily share secrets
with international companies. And executive boards don't like security managers
telling others about incidents. Countries with state-owned industries clearly
have an advantage here, though such an infrastructure carries its own baggage.

Another topic was conference audiences. RSA Conference has seen a trend away from a technical security community
towards a more business oriented security community. My view is that security
managers are going native. They need to stand up to, rather succumb to business
managers. I've also noticed that compliance and audit functions are now setting more of the security agenda. Large financial organizations now have almost ten times more people
policing them than securing them. At this rate ISACA conferences will overtake RSA
conferences in size.

We both agreed that speed,
imagination, and attention to the human factor are the keys to security in the
future. CSOs need to escape the burden of compliance and be empowered to
practice real security. Personally I don't believe this will happen until after an electronic
Pearl Harbour incident.

Unfortunately we ran out of
time to discuss deeper issues. But we did agree to continue the discussion next
time Hugh is in town.

]]>
Ten answers to cyber securitytag:www.computerweekly.com,2014:/blogs/david_lacey//75.914842014-06-23T08:48:53Z2014-06-23T08:53:06ZMy last posting was perhaps a bit too negative. I should correct that by setting out my own solutions to cyber security. Here are my ten answers. Invest more public money into imaginative new approaches to malware detection. Ditch standardized,...David LaceyMy last posting was perhaps
a bit too negative. I should correct that by setting out my own solutions to cyber security. Here are my ten
answers.

Invest more public money into imaginative new approaches to malware
detection.

]]>
Ten top experts and ten steps backwardstag:www.computerweekly.com,2014:/blogs/david_lacey//75.914832014-06-22T19:25:11Z2014-06-23T08:09:30ZDavid LaceyI was fascinated to see that the latest issue of Forbes
magazine has a feature on cyber security. It sets out what must be fixed
according to ten top experts. Have they got it right?

The answer sadly is a
resounding "no". But just how bad can that be? Unfortunately it's pretty dire. On this evidence the problem lies with the
experts, not the practitioners. It's unfortunate because many executive boards don't listen to their security managers, but they do pay attention to media pundits.

So what did the top ten experts suggest?

Not
a lot that makes sense to real practitioners. Every one of them "muttered
something about there being no silver bullets". In my view that's a negative attitude because we
would all like to find a silver bullet and there's absolutely no reason why they should not
exist. Such reasoning reflects a lack of imagination and a disdain for smart
solutions.

I expected more from Brian
Krebs, an investigative journalist, who could only say that "it requires a
mindset shift. I'd like to see more users place far less reliance on automated
tools". Not good advice in my view. In a fast moving, dynamic environment, we
need more technology and automation.

Scott Charney,a Microsoft VP,
suggested that the answer was for "companies to be transparent about how they
handle data" and "to have robust corporate programs to protect privacy". Such statements
are likely to be regarded as meaningless waffle by most streetwise CISOs and auditors. And few businesses will genuinely embrace privacy because it restricts business exploitation of data.

Cisco's Chris Young suggests that
the problem is increased by the so-called "Internet of Things" which demands a "threat-centric
approach to security". Personally I thought we'd already been doing that for thirty
years or more.

Chad Sweet, a CEO of a security
and risk advisory firm, suggested that we need "cyber audits" to give stakeholders confidence. To the experienced CISO, inundated with audits, this will be bad news.

Edith Ramirez, a chairwoman
at the FTC thinks the answer is encryption. Perhaps she has yet to experience the
down side of this magic bullet, which many of us have found to create as many problems
as it solves.

Heather Adkins, a Google
security manager, sees the problem as a technical one associated with 60s and
70s vintage systems. (Gosh. What was wrong with them?) She thinks the answer is to reduce the attack
surface, which is a great idea if you are actually in a position to do that.
Unfortunately many business trends are going in the opposite direction.

Daniel Suarez, a sci-fi writer (Whoa!) suggests
the answer is to scrap the Internet and build an Apollo-like, secure network for
critical infrastructure. He's right but it's an impossible dream.

Peter Singer, an author,
thinks it's all about human incentives. The answer is to adopt a mantra of "keep
calm and carry on". This is very pragmatic of course, but ultimately rather too
defeatist.

Christopher Soghoian, a technologist,
suggests that the problem is politics and the need to have a forceful agency that
makes everyone patch vulnerabilities. Dream on.

Joe Sullivan, CSO at Facebook,
suggests the answer is to have a security infrastructure that keeps up with the
billions of people coming online. That seems like good advice, so let's look to
Facebook for a secure environment.

Is this the best we can do? Of course not. Business and citizens deserve much better from vendors, institutions,
and journalists. If our pundits cannot see the solutions we are doomed to wait
many years before the real issues are recognised and the real solutions developed.

]]>
Frameworks, Bloody Frameworkstag:www.computerweekly.com,2014:/blogs/david_lacey//75.914482014-06-11T14:23:25Z2014-06-11T19:20:17ZLast night a friend sent me an email drawing attention to the UK Government's new cyber security scheme. This one is called "Cyber Essentials". So what's new? And what does it offer? The answer is very little. It contains no...David LaceyLast night a friend sent me an email drawing attention to the UK Government's new cyber security
scheme. This one is called "Cyber Essentials". So what's new? And what does it
offer?

The answer is very little. It
contains no new advice or controls. It's incomplete and insufficient. And it's not mandated by regulators.
In fact it's nothing more than a restructuring of advice already covered by more
important standards.

It's unfortunate that governments
and institutes insist on publishing their own versions of standards at a time
when many enterprises are forced to address specific ones. The most widely
enforced standard at present is the Payment Card Industry Data Security (PCI DSS) standard. But this important standard is not even mentioned in the Cyber Essentials guide.

The unfortunate truth is that cyber security standards are a
nightmare for enterprises of all sizes. Big companies are required to provide
annual evidence of the existence of hundreds of control requirements. Small retailers
are forced to employ expensive consultants to translate technical standards
into action.

It's not advice we need, but consistency.
In a world awash with standards, where tick-box compliance has replaced security, what matters is structure more than content. This perhaps explains why the Cyber Essentials contains an appendix mapping
the new standard onto several others. Unfortunately it doesn't cover the 220 controls
in the PCI DSS so it's no use to the millions of retailers out there.

There's no benefit in having all the rights words, but not necessarily in the right order. Any framework is
a means to an end, not an end in itself. If that end is to complete a
questionnaire, then the questionnaire structure is the sequence you require. If it's
to design a compliance workflow system, you need a framework structured around
organisation responsibilities. If it's just for use as a reference document, you simply
need a good index.

There are more than a dozen
ways of structuring a security standard. I know because I experimented with all
of them when drafting the original BSI Code of Practice back in 1993. You can
do it around process, services, life cycles, technology, job function, subject
areas, etc. Or you can simply pluck headings out of the air, as many standards do.

The COBIT 5 standard is
structured around organizational processes. The ITIL standard around IT services.
ISO 27000 was originally structured around ten "natural subject areas" as might
be encountered in enterprise security manuals. The ISF Standard of Good Practice
is structured around six areas of IT Security responsibility, mapped
onto several dozen individual topics. In contrast ISO management systems tend to follow a "Plan, Do,
Check, Act" life cycle.

Other standards are more arbitrary.
The PCI DSS follows an unusual structure of twelve broad control requirements
grouped into six overall headings, which collectively define more than two
hundred individual, prescriptive requirements. A further complication in
navigating PCI DSS requirements is the fact that the standard is also enforced
through a "Prioritized Approach" which sets out the controls in a completely different
order, reflecting the urgency of their implementation.

Further security standards
published by governments and specialist circles such as The Cloud Security Alliance have only added to the navigation challenge
facing CISOs. The Cyber Essentials standard
adds a tad more confusion by adopting a new structure of five subject areas pointing to "Ten Steps
to Cyber Security". Will the madness
ever end?